CVE-2026-33675 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeade…
Medium CVSS: 6.4

CVE-2026-33675

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.
Vendor
Vikunja
Product
Vikunja
CWE
CWE-918
Yayın Tarihi
2026-03-24 16:16:34
Güncelleme
2026-03-27 16:20:07
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-918 Vikunja MEDIUM Vikunja 2026

Referanslar

https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr https://vikunja.io/changelog/vikunja-v2.2.2-was-released https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr